Table Of Contents
Implementing Key Chain Management on Cisco IOS XR Software
Contents
Restrictions for Implementing Key Chain Management
Information About Implementing Key Chain Management
Lifetime of a Key
How to Implement Key Chain Management
Configuring a Key Chain
What to Do Next
Configuring a Key Identifier for the Key Chain
What to Do Next
Configuring the Text for the Key String
What to Do Next
Determining the Valid Keys
Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic
Configuration Examples for Implementing Key Chain Management
Configuring Key Chain Management: Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Implementing Key Chain Management on Cisco IOS XR Software
Key chain management is a common method of authentication to configure shared secrets on all the entities, which exchange secrets such as keys before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.
Feature History for Implementing Key Chain Management on Cisco IOS XR Software
Release
|
Modification
|
Release 3.3.0
|
This feature was introduced on Cisco CRS-1 and Cisco XR 12000 Series Router.
|
Contents
•
Restrictions for Implementing Key Chain Management
•Information About Implementing Key Chain Management
•How to Implement Key Chain Management
•Configuration Examples for Implementing Key Chain Management
•Additional References
Restrictions for Implementing Key Chain Management
You must be aware that changing the system clock impacts the validity of the keys in the existing configuration.
Information About Implementing Key Chain Management
The key chain by itself has no relevance; therefore, it must be used by an application that needs to communicate by using the keys (for authentication) with its peers. The key chain provides a secure mechanism to handle the keys and rollover based on the lifetime.
To implement key chain management, you must understand the following concept:
•Lifetime of a Key
Lifetime of a Key
If you are using keys as the security method, you must specify the lifetime for the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to store and use more than one key for an application at the same time. A key chain is a sequence of keys that are collectively managed for authenticating the same peer, peer group, or both.
Key chain management groups a sequence of keys together under a key chain and associates each key in the key chain with a lifetime.
Note Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during configuration.
The lifetime of a key is defined by the following options:
•Start-time—Specifies the absolute time.
•End-time—Specifies the absolute time that is relative to the start-time or infinite time.
Each key definition within the key chain must specify a time interval for which that key is activated, for example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend that for a given key chain, key activation times overlap to avoid any period of time for which no key is activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur; therefore, routing updates can fail.
Multiple key chains can be specified.
How to Implement Key Chain Management
This section contains the following procedures:
•Configuring a Key Chain (required)
•Configuring a Key Identifier for the Key Chain (required)
•Configuring the Text for the Key String (required)
•Determining the Valid Keys (optional)
•Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic (required)
Configuring a Key Chain
This task configures a name for the key chain.
You can create or modify the name of the key chain.
SUMMARY STEPS
1. configure
2. key chain key-chain-name
3. end
or
commit
4. show key chain key-chain-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
key chain key-chain-name
Example:
RP/0/RP0/CPU0:router(config)# key chain
isis-keys
RP/0/RP0/CPU0:router(config-isis-keys)#
|
Creates a name for the key chain.
Note Configuring only the key chain name without any key identifiers is considered a nonoperation. When you exit the configuration, the router does not prompt you to commit changes until you have configured the key identifier and at least one of the global configuration mode or keychain-key configuration mode (for example, lifetime or key string).
|
Step 3
|
end
or
commit
Example:
RP/0/RP0/CPU0:router(config-isis-keys)# end
or
RP/0/RP0/CPU0:router(config-isis-keys)# commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Step 4
|
show key chain key-chain-name
Example:
RP/0/RP0/CPU0:router# show key chain isis-keys
|
(Optional) Displays the name of the key chain.
Note The key-chain-name argument is optional. If you do not specify a name for the key-chain-name argument, all the key chains are displayed.
|
What to Do Next
After completing key chain configuration, see the Configuring a Key Identifier for the Key Chain section.
Configuring a Key Identifier for the Key Chain
This task configures a key identifier for the key chain.
You can create or modify the key for the key chain.
SUMMARY STEPS
1. configure
2. key chain key-chain-name
3. key key-id
4. end
or
commit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
key chain key-chain-name
Example:
RP/0/RP0/CPU0:router(config)# key chain
isis-keys
|
Creates a name for the key chain.
|
Step 3
|
key key-id
Example:
RP/0/RP0/CPU0:router(config-isis-keys)# key 8
|
Creates a key for the key chain. The key ID number is translated from decimal to hexadecimal to create the command mode subprompt.
|
Step 4
|
end
or
commit
Example:
RP/0/RP0/CPU0:router(config-isis-keys-0x8)# end
or
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#
commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
What to Do Next
After configuring a key identifier for the key chain, see the Configuring the Text for the Key String section.
Configuring the Text for the Key String
This task configures the text for the key string.
SUMMARY STEPS
1. configure
2. key chain key-chain-name
3. key key-id
4. key-string [clear | password] key-string-text
5. end
or
commit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
key chain key-chain-name
Example:
RP/0/RP0/CPU0:router(config)# key chain
isis-keys
|
Creates a name for the key chain.
|
Step 3
|
key key-id
Example:
RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#
|
Creates a key for the key chain.
|
Step 4
|
key-string [clear | password] key-string-text
Example:
RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)#
key-string password 8
|
Specifies the text string for the key.
•Use the clear keyword to specify the key string in clear text form; use the password keyword to specify the key in encrypted form.
|
Step 5
|
end
or
commit
Example:
RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# end
or
RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)#
commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
What to Do Next
After configuring the text for the key string, see the Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic section.
Determining the Valid Keys
This task determines the valid keys for local applications to authenticate the remote peers.
SUMMARY STEPS
1. configure
2. key chain key-chain-name
3. key key-id
4. accept-lifetime start-time [duration durationvalue | infinite | end-time]
5. end
or
commit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
key chain key-chain-name
Example:
RP/0/RP0/CPU0:router(config)# key chain
isis-keys
|
Creates a a name for the key chain.
|
Step 3
|
key key-id
Example:
RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#
|
Creates a key for the key chain.
|
Step 4
|
accept-lifetime start-time [duration
durationvalue | infinite | end-time]
Example:
RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#
accept-lifetime 1:00:00 october 24 2005
infinite
|
(Optional) Specifies the validity of the key lifetime in terms of clock time.
|
Step 5
|
end
or
commit
Example:
RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# end
or
RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)#
commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic
This task configures the keys to generate authentication digest for the outbound application traffic.
SUMMARY STEPS
1. configure
2. key chain key-chain-name
3. key key-id
4. send-lifetime start-time [duration durationvalue | infinite | end-time]
5. end
or
commit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
key chain key-chain-name
Example:
RP/0/RP0/CPU0:router(config)# key chain
isis-keys
|
Creates a a name for the key chain.
|
Step 3
|
key key-id
Example:
RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#
|
Creates a key for the key chain.
|
Step 4
|
send-lifetime start-time [duration
durationvalue | infinite | end-time]
Example:
RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#
send-lifetime 1:00:00 october 24 2005 infinite
|
(Optional) Specifies the set time period during which an authentication key on a key chain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time.
In addition, you can specify a start-time value and one of the following values:
•duration keyword (seconds)
•infinite keyword
•end-time argument
If you intend to set lifetimes on keys, Network Time Protocol (NTP) or some other time synchronization method is recommended.
|
Step 5
|
end
or
commit
Example:
RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# end
or
RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)#
commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
•Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Configuration Examples for Implementing Key Chain Management
This section provides the following configuration example:
•Configuring Key Chain Management: Example
Configuring Key Chain Management: Example
The following example shows how to configure key chain management:
send-lifetime 1:00:00 october 24 2005 infinite
accept-lifetime 1:00:00 october 24 2005 infinite
Uncommitted changes found, commit them? [yes]: yes
Send lifetime: 01:00:00, 24 Oct 2005 - Always valid [Valid now]
Accept lifetime: 01:00:00, 24 Oct 2005 - Always valid [Valid now]
Additional References
The following sections provide references related to implementing key chain management.
Related Documents
Related Topic
|
Document Title
|
Key chain management commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples
|
Key Chain Management Commands on Cisco IOS XR Software
|
Standards
Standards
|
Title
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
|
—
|
MIBs
RFCs
RFCs
|
Title
|
No new or modified RFCs are supported by this feature.
|
—
|
Technical Assistance
Description
|
Link
|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
|
http://www.cisco.com/techsupport
|
